A-4
User Guide for Cisco Security MARS Local Controller
78-17020-01
Appendix A Cisco Security MARS XML API Reference
XML Incident Notification Data File and Schema
<Source ipaddress="10.3.50.200" />
<Destination ipaddress="105.74.127.53" />
<SourcePort>0</SourcePort>
<DestinationPort>0</DestinationPort>
<Protocol>0</Protocol>
</NATtedEndPoints>
<FiringEventFlag>true</FiringEventFlag>
<RuleMatchOffset>1</RuleMatchOffset>
</Event>
</Session>
<Session id="286914072">
<Instance>0</Instance>
<SessionEndPoints>
<Source ipaddress="10.3.50.200" />
<Destination ipaddress="133.67.205.96" />
<SourcePort>0</SourcePort>
<DestinationPort>0</DestinationPort>
<Protocol>6</Protocol>
</SessionEndPoints>
<Event id="286914072">
<EventType id="1139" />
<TimeStamp>May 23, 2007 8:13:10 AM PDT</TimeStamp>
<ReportingDevice id="128783" />
<RawMessage>Wed May 23 08:13:10 2007 <134>%PIX-1-106022: Deny tcp
connection spoof from 10.3.50.200 to 133.67.205.96 on interface inside</RawMessage>
<FalsePositiveType>NOT_AVAILABLE</FalsePositiveType>
<EventEndPoints>
<Source ipaddress="10.3.50.200" />
<Destination ipaddress="133.67.205.96" />
<SourcePort>0</SourcePort>
<DestinationPort>0</DestinationPort>
<Protocol>6</Protocol>
</EventEndPoints>
<NATtedEndPoints>
<Source ipaddress="10.3.50.200" />
<Destination ipaddress="133.67.205.96" />
<SourcePort>0</SourcePort>
<DestinationPort>0</DestinationPort>
<Protocol>6</Protocol>
</NATtedEndPoints>
<FiringEventFlag>true</FiringEventFlag>
<RuleMatchOffset>1</RuleMatchOffset>
</Event>
</Session>
<Rule id="128791">
<Name>bd</Name>
<Description>stack and decker</Description>
</Rule>
<NetworkAddressObj id="4164952920">
<IPAddress>248.64.35.88</IPAddress>
<MAC />
<DNSName />
<DynamicInfo>
<HostName />
<MACAddress />
<AAAUser />
<EnforcementDeviceAndPort />
<ReportingDevice />
<StartTime>Dec 31, 1969 4:00:00 PM PST</StartTime>
<EndTime>Dec 31, 1969 4:00:00 PM PST</EndTime>
<UpdateTime>Dec 31, 1969 4:00:00 PM PST</UpdateTime>
</DynamicInfo>
</NetworkAddressObj>
<NetworkAddressObj id="2235813216">
